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METHOD OF GENERATING A CHAOS-BASED PSEUDO-RANDOM SEQUENCE 
AND A HARDWARE GENERATOR OF CHAOS-BASED PSEUDO RANDOM BIT 

SEQUENCES 

Priority Claim 

5 [1] This application claims priority from European patent application 

No. 02425689.3, filed November 12, 2002, which is incorporated herein by 
reference. 

Technical Field 

[2] The present invention relates generally to the generation of pseudo 

10 random numbers, and in particular to a method for generating a sequence of chaos- 
based pseudo random numbers and a relative hardware implementation thereof. 

Background 

[3] Pseudo-random number generators (PRNG) are useful in every 

applications that use Monte Carlo methods and also in cryptography [1], PRNGs are 
15 algorithms implemented on finite-state machines for generating sequences of 
numbers which appear random-like under many aspects. These sequences are 
necessarily periodic but their periods are very long, they pass many statistical tests, 
and they may be easily implemented with simple and fast software routines. 

[4] Chaotic systems may be used either in cryptography (see 

20 r2 Xkira20011 ) and in generating pseudo-random numbers. For example, in a series 
of papers [3], a chaos derived pseudo-random number generator has been 
proposed. It has been numerically observed that the average cycle and transient 
lengths grow exponentially with the precision of implementation, and from this fact it 
has been deduced that using high-precision arithmetic it is possible to obtain PRNGs 
25 which are still of cryptographic interest. The usual statistical tests applied to PRNGs 
for use in Monte Carlo simulations are generally simple. 

[5] In cryptography, PRNG should not only have good statistical 

properties, but also be "cryptographically secure", /.e., given a sequence of pseudo 
random bits it should be impossible to predict the next number of the sequence with 
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a probability much greater than 1/2. For this reason, PRNGs suitable for 
cryptographic applications must pass the next-bit test. 

[6] The actual cryptographically secure PRNGs are not computationally 

efficient. Then they are used only for highly critical off-line operations, while for on- 
5 line tasks (like stream ciphers) fast but not cryptographically secure PRNGs are 
employed. The drawback of this fact is that stream ciphers can be attacked by 
exploiting the weakness of their PRNGs. 

[7] Statistical properties of binary sequences generated by class of ergodic 

maps with some symmetrical properties are discussed in [4]. The authors derived a 
10 sufficient condition for this class of maps to produce a sequence of independent and 
identically distributed binary random variables. However, the implementation of these 
maps on finite-state machines and the consequence this implementation may have 
on the randomness of the generated sequences have not been discussed. 

[8] For a better comprehension of a possible field of application of the 

15 invention, a brief introduction to the basic concepts of pseudo-random bit 
generations is provided, according to the approach of [1] (see also [5]). 

[9] Definition 1 A (truly) random bit generator is a device which outputs a 

sequence of statistically independent and unbiased binary digits, 

[10] A random bit generator can be used to generate random numbers. For 

20 a chaos-based generator of truly random bits see [6]. 

[11] Definition 2 A pseudo-random bit generator (PRBG) is a deterministic 

algorithm which, given a truly random binary sequence of length k, outputs a binary 
sequence of length I » k which "appears" to be random. The input of the PRBG is 
called the seed, while the output of the PRBG is called a pseudo-random bit 
25 sequence. 

[12] Definition 3 A pseudo-random bit generator is said to pass all 

polynomial-time statistical tests if no polynomial-time algorithm can correctly 
distinguish between an output sequence of the generator and a truly random 
sequence of the same length with probability significantly greater than 1/2. 
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[1 3] Definition 4 A pseudo-random bit generator is said to pass ttie next-bit 

test if there is no polynomial-time algorithm which, on input of the first I bits of an 
output sequence s, can predict the (/ + 1 )st bit ofs with probability significantly 
greater than 1/2. 

5 [14] In this case a PRBG is said unpredictable. 

[1 5] Theorem 1 A pseudo-random bit generator passes the next-bit test if 

and only if it passes all polynomial-time statistical tests. 

[16] Definition 5 Let G = {G„,n > l} be an ensemble of generators, with 

G„ : {0,l}" -> {0,1}^^"^ , where p(") is a polynomial satisfying « + 1 < p{n) <n'' +c for 

10 some fixed integer c. We say that G isa cryptographically secure pseudo-random bit 
generator if. 

- There is a deterministic polynomial-time algorithm that on input of any n-bit string 
outputs a string of length p{n). 

- For sufficiently large n, the generator G„ passes the next-bit test 

15 [17] All above definitions and the theorem are informal. For a formal 

definition of statistical test (definition 3), see Yao [7]. The notion of a 
cryptographically secure pseudo-random bit generator was introduced by Blum and 
Micali [8]. The theorem 1 (universality of the next-bit test) is due to Yao [7]. 

[18] The last three definitions above are given in complexity-theoretic terms 

20 and are asymptotic in nature because the notion of "polynomial-time" is meaningful 
for asymptotically large inputs only. Therefore, the security results for a particular 
family of PRBGs are only an indirect indication about the security of individual 
members. 

[19] Blum and Micali [8] presented the following construction of 

25 cryptographically secure PRBG. Let D be a finite set, and let f : D-»D be a 
permutation that can be efficiently computed. Let B : D->{0, 1} be a Boolean 
predicate with the property that B{x) is hard to compute given only xeO, however, 
S(x) can be efficiently computed given y= f^(x). The output sequence zi, Z2, z/ 
corresponding to the seed XoeD is obtained by computing x, = f(x^i), z, = B(x/), for 1 < 
30 / < /. 
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[20] Blum and Micali [8] proposed the first concrete instance of 

cryptographically secure PRBG. Let p be a large prime. Define D = Zp* = {1, 2, p - 
1} and a a generator of Zp*. The function f : O-^D is defined by f(x) = mod p. The 
function B : D^O, 1} is defined by B(x) = 1 if 0<log„ Jc<(p-l)/2 and S(x) = 0 if 

5 log^ ^ > (p - 1)/2 . Assuming the intractability of the discrete logarithm problem in Zp*, 

the Blum-Micall generator was proven to satisfy the next-bit test. Other examples of 
cryptographically secure PRBGs are RSA generator [9] and Blum-Blum-Shub 
generator [10]. 

Linear congruential generators 

10 [21] A linear congruential generator produces a pseudo-random sequence 

of numbers x^, xi, ... according to the linear recurrence 

= (ox^.i + 6)mod n>\ 

[22] Integers a, b and m are parameters which characterize the generator, 

while xo is the seed. Generators of this form are widely used in Monte Carlo 
15 methods, taking x^jm to simulate uniform draws on [0, 1]. 

[23] For a study of linear congruential generators, see Knuth [11]. 

Plumstead [12] and Boyar [13] showed how to predict the output sequence of a 
linear congruential generator given only a few elements of the output sequence, and 
when the parameters a, b, and m of the generator are unknown. Boyar [1 3] extended 
20 her methods and showed that linear multivariate congruential generators, 

= + ^i^n-i + • • + «/^«-/ )modm 

and quadratic congruential generators, 

x„ = {axl_^ + + c)mod m 

are cryptographically insecure. Krawczyk [14] showed how the output of any 
25 multivariate polynomial generator can be efficiently predicted. A truncated linear 
congruential generator is one where a fraction of the least significant bits of x, are 
discarded. Frieze et al. [15] showed that these generators can be efficiently 
predicted if the parameters a, b, and m are known. Stern [16] extended this method 
to the case where only m is known. Boyar [17] presented an efficient algoirithm for 
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predicting linear congruential generators when 0(log log m) bits are discarded, and 
the parameters are unknown. 



[24] No efficient prediction algorithms are known for truncated multivariate 

polynomial congruential generators. 

5 Summary 

[25] In one embodiment of the invention, a method of generating a 



sequence of a chaos-based pseudo-random numbers and a hardware pseudo- 
random bit generator are relatively easy to realize. The sequence of numbers is 
practically unpredictable and at the same time may be generated using very simple 
10 functions. 

[26] The known methods of generating cryptographically secure (or 

unpredictable) pseudo-random numbers are based on the use of complicated 
functions whose inverse is well-defined but is hard to compute. According to the 
common knowledge this is necessary, because otherwise it would be easy to predict 
15 the numbers of a pseudo-random sequence. 

[27] As a consequence, known methods are relatively slow and hardware 

generators that implement them have a quite complex architecture. 

[28] On the contrary, a method according to an embodiment of the invention 

comprises generating pseudo-random numbers by using simple functions, but their 
20 inverses are not a well-defined function and have a large number of branches, 
although the inverse might be easily computed on each particular branch. 

[29] More precisely, one embodiment of the present invention is a method 

for generating a chaos-based pseudo-random sequence comprising the steps of: 

- defining a chaotic map for generating a pseudo-random sequence of integer 
25 numbers comprised in a certain interval; 

- defining a function on the first interval whose inverse has a plurality of branches; 

- choosing a seed of the pseudo-random sequence of integer numbers comprised 
in the interval; 

- generating numbers of the pseudo-random sequence; 
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- calculating numbers of a chaos-based pseudo-random sequence by applying the 
function to corresponding integer numbers of the pseudo-random sequence. 

[30] This method is preferably used for generating chaos-based pseudo- 

random bit sequences and may be implemented in a hardware generator of chaos- 
5 based pseudo random bit sequences, comprising: 

- circuit means for storing bit strings representing integer numbers of the pseudo- 
random sequence; 

- a shift register coupled to the circuit means; 

- a command circuit generating shift commands for the shift register; 
10 - second circuit means for storing the bits output by the shift register; 

- an adder modulo 2 summing the bits stored in the second circuit means, 
generating a bit of the chaos-based pseudo-random bit sequence; 

- a second adder summing up the bit strings currently stored in the shift register 
and in the first circuit means, generating a bit string representing a successive 

15 number of the pseudo-random sequence. 

Brief Description of the Drawings 

[31] Different aspects and advantages of the invention will appear even 

more clearly through the following non-limiting description referring to the attached 
drawings, wherein: 

20 [32] FIG. 1 is a diagram describing in a basic manner a preferred 

embodiment of the method of the invention for generating chaos-based pseudo- 
random bit sequences; 

[33] FIG- 2 is a hardware generator implementing an embodiment of the 

method of the invention; 

25 [34] FIG. 3 is a particular embodiment of a hardware generator of the 

invention implementing the method described in FIG. 1 for k=2. 
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Description of Several Embodiments of the Invention 

[35] In order to illustrate in a easy manner the gist of the invention, let us 

refer to the following sample algorithm for generating a sequence of (real) numbers 
Xi, X2, .... 

5 [36] First of all, a chaotic map is chosen: 

^..,=/k) = [^-^«]mod2^ (1) 

where n = 0, 1, xoe[0, 2^^, p > 2'", p is an odd integer. The generic term Xn of the 
sequence is given by 

X„=H{xJ^sin'{xJ (2) 

10 [37] Is the sequence X^, X2, ... predictable? In other words, knowing a finite 

number of elements of this sequence, say Xj, Xy+i, Xy+;c-i, is it possible to predict 
the previous and the next elements of the sequence: Xj,^ and X/+/(? 

[38] Let us start our discussion from the simplest case: p = 3 and m = 1 . 

Using the following well known relations 

15 sin^ — al = — [l-cos(3a)] 

\2 J 2 

cos(3a) = ±^j\-sin^{ia) 

and 

sin ^ (3a) = sin ^ (a) • [3 - 4sin ^ (a)]^ 

we find 

[39] It is easy to show that for almost all Xn there are 2 equally likely values 

forXn+1. In a similar way, for almost all Xn+^ there are 3 equally likely values for X^. 
Furthermore, the number of points Xj for which there are less than 2 values of X}-n (or 
less than 3 values of Xi-i) is finite. 
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[40] This result can be generalized for arbitrary p and m. After a simple 

algebra we find a functional relation between Xn and X^+ii 

[2...2((2X,,,-ly-l^..-lf +F^(XJ = 1 (3) 

where the first term in the left-hand side of this equation is polynomial of order 2^" 
5 and Fp is the p-th order Chebyshev map. Thus, for arbitrary m and almost all Xo, 
equation (3) has 2'" solutions for Xn+i when X„ is known and p solutions for Xn when 
Xr,+i is known. Therefore, for large m and almost all xo the sequence is one- 
step unpredictable: for any element in the sequence {-A", }* one can only guess 

with probability 1/2^" (among 2^" equally distributed values of X/c+i) what is next 
10 element X^+i and with probability 1/p (among p equally distributed values of Xk.^) 
what was the previous element Xk-i. The set of initial conditions Xo for which the 
above statement does not hold is finite. 

[41] What are the properties of the sequence Xi, X2, ...? The map h{) in 

(2) is not a distribution preserving map and thus the output sequence is not equally 
15 distributed. It is possible to avoid this problem using, for example, a periodic tent 
map instead of the sine function. 

[42] There are much more serious problems related to the sequence Xi, X2, 

it has been proved that this sequence is 1-step unpredictable, from which does 
not follow that the sequence is /c-step unpredictable. In fact, the sequence Xi, X2, ... 
20 is 3-step predictable as follows from the following analysis. 

[43] Let bm—b^bo.a^a2^.. be the binary presentation of xg[0, q], q = 2^" and x 

= {bm, •.•b^, bo', ai, 32, ...)■ Let us define the functions c(x) and d(x) as c(x) = bm-^-b^bo, 
c/(x) = 0.aia2.... Suppose to know the value of d{r x c mod q), where 

cg{0, 1, r = p/q, q = 2^", gcof(p, q) = 1 , p>q 

25 being gcd{.,.) is the greatest common divider function. 

[44] Is the value of c predictable? Let 0.r.i...r.m and 0^-1... CiCo be the binary 

presentations of d{r) and c, respectively, and let 0.aia2...am be the binary 
presentation of d{r x c mod q). Given that a^ = co ' r.m and r.m = 1 (p must be an odd 
number), it holds that Co = Bm- Therefore, by knowing the value of am, Co can be 
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easily determined. Furthermore, from the relation a^-i = r./n+i ' co ® r.m ' Ci and the 
previously determined value of Co it is possible to determine the value of Ci. By 
repeating these arguments, the values of all bits Co, Ci, ...Cm may be computed. 

[45] Proposition 1 Let C€{0, 1, q - 1} and r- p/q, where p> q, gcd{p, q) 

5 =1, and q = 2'". If we know the value of d{{r • c)mod^), then we can uniquely 
determine the value ofc. 

[46] We say that the sequence Xi, X2, X3, ... is /c-step predictable if there 

exist Xn, Xn+1, ... Xn+k'^ such that knowing them one can predict the values of Xn-i or 

10 [47] Theorem 2 The sequence Xi, X2, X3, ... is 3-step predictable. 

[48] Proof. It holds that X^ = H(xi), X2 = H(X2) and X3 = H(x3). Let c^ = c(xi). 

di = c/(xi). C2 = c(x2) and d2 = of(x2). According to the first relation the value of d^ is 
either = arcsin{jx[)^ [o, V^] or c/12 = 7i - ofn. Analogously, the value of c/2 is either 

= arcsin[^Jx^)e [o,;r/2] or c/22 = 7t - c/21. Furthermore, Xi and X2 are related as X2 = 
15 (r ' x^) mod q. Therefore we have 

d^-d ((r • (cj + J, ))inod 9) = j(rf((r • c, )inod q)-\-d ((r • , )mod q)) (4) 

[49] Let ci(/, y) denote the solution of the equation (4 x1-6006r4 ) if such a 

solution exists. There are at most four possible values of Xi: Ci(1, 1) + ofn, Ci(1, 2) + 
c/11, ci(2, 1) + c/12 and Ci(2, 2) + Gfi2. The actual value of x^ can be determined by 
20 checking for which of these values, the third member of the sequence is X3. Once 
the value of Xi is determined, it is easy to compute all subsequent members X4, X5, 

[50] There are several ways to generalize equations (1 ) and (2). First, /(.) in 

(1 ) can be an arbitrary chaotic map defined on [0, g], where q is a large integer. 
25 Second. h{) in (2) can be an arbitrary non-periodic function H : [0, g]->[0, 1] such 

that its inverse H'^{) has q branches. Third, the proof of the theorem 2 uses the fact 
that h{) is a periodic function from [0, q] to [0, 1], but, for example, h{) can be any 
periodic function H : [0, q]^C, where C is a finite small set, for example C = {0,l}. 
Some of these possibilities are examined hereinafter. 

9 
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Cryptographically Secure PRNGs 

[51] The construction of cryptographically secure PRBGs of Blum and 

Micali [8] is based on the assumption that the inverse of a function is a well-defined 
function but is hard to be computed. 

5 [52] On the contrary, according to a method of an embodiment of the 

present invention, it is possible to have cryptographically secure PRNGs (and thus 
cryptographically secure PRBGs) using simple functions H{.) whose inverse is not a 
well-defined function and has large number of branches, although the inverse is easy 
to compute on a particular branch. In particular, if the inverse of the function H : [0, 

10 q]^C has q branches, even knowing a value Xn of the random number sequence Xi. 
X2, the effectively used value Xn such that Xn=H{Xn) may be predicted only with a 
probability of that is Xn may be any of the integers of the interval [0, q]. 

[53] This approach is much more convenient than the approach of Blum 

and Micali [8] because the function /-/(.) may be very simple, and thus it may be 
15 easily implemented for realizing effectively unpredictable sequences of pseudo- 
random numbers. 

[54] Because of the importance of PRBGs, in the ensuing description, 

reference will be made to a preferred embodiment of the invention for generating a 
pseudo-random sequence of bits, but what will be stated could be easily repeated, 
20 mutatis mutandis, for generators of sequences of pseudo-random numbers. 

[55] A class of pseudo random bit generators are designed that use only 

binary operations and may be implemented as a fast algorithm. To keep the 
connection with the previous description as close as possible, we slightly alter the 
notation and write Xj for the output sequence of bits. 

25 [56] Let bM••.b^bQ.a^a2... be the binary representation of xe/ = [0, 2'^] and x 

= {bM, bo', ai, 32, ...)■ Let us define a set 

/(*) = {x\x = (bj^ ,b^;a,,a2..^^ ,a^)} 

as a set of truncated real numbers in /. Let trunck : l-^l^^^ and H : /^'^W{0, 1} be two 
functions defined as follows: 
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and 

H{x) = a^®a^®...®af^ (6) 

[57] The seed of the generator is the string of Os and 1s of length + /c + 1 , 

which is written in the form xo = . bo\ Sk)- The output of the generator is 
a sequence of bits X^, X2, ... produced as described hereinbelow. 

[58] Two sanfiple pseudo-random bit generators are presented. In the first 

case the next bit is generated as: 



=trunc,^ 



,(^^.x,mod2-j (7) 

10 X,,,^H{x,J (8) 

[59] In the second case, the bit X, has been produced. The next bit is 

generated as: 

y,=x,®X, (9) 
X,,, =/rw«c,[^^.>;,mod2^j (10) 

15 X,,,=H{x,J (11) 

[60] In the above equations / = 0, 1, 2..., p, m, M, k are the parameters of 

the generator. Xo = 0 and 

x,®X^ =(ai,a2,...)©i5 = (a, ® P,a^ © >5,...) 

[61] Equations (7) and (10) are discrete version of (1). An additional 

20 parameter M has been introduced to make the algorithm more flexible: m can be an 
arbitrary integer, while 2'^is preferably a large number. The output of the generator is 
given by (8) or (1 1 ): instead of the sine function, a periodic function H defined by (6) 
is used. Finally, with (9) the initial point (seed) of the generator is changed in each 
iteration. The parameters of the generator have the following constraints: p is an 
25 arbitrary odd integer such that p > 2'", A/f is an integer such that /If > 64, A/f » m, m 
and k are arbitrary integers. 
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[62] Simple arguments (not a proof) for an elementary explanation of the 

unpredictability of the generator are given. The next bit of the generator (or the 
previous bit X/.i) may be determined only if all bits of x, are known, which is however, 
not possible: X/ has the form x, = {cm, . Co; d^, ..,Ck) and one can only guess the 
5 value of Xi among 2^^ equally distributed values. Moreover, it has been numerically 
verified that the probability p[Xj\Xj_^Xj_2..) does not depend on the previous 
generated bits and is equal approximately to 0.5. 
[63] Let G = {G„,n>l} be an ensemble of generators, with 

G„ : {0,1}" -> {0,l}^^"\ where p{') is a polynomial satisfying n + l < p{n)<n'' +c for 

10 some fixed integer c. It Is well known that: if a cryptographlcally secure PRBG with 
p(n) = n + 1 exists, then there is a cryptographlcally secure PRNG with p(n) = + c 
for each c > 2. Therefore, using all above arguments it Is possible to conclude that 
the presented bit generators are cryptographlcally secure. 

[64] By defining p, m, M and k a particular pseudo-random number 

15 generator can be realized. Two examples are presented. 

[65] Example 1 The generator is defined by equations (7) and (8). The 

parameters of the pseudo-random number generator are: p = 5, m = 2, M = 256 and 
k=2. 

[66] Example 2 The generator is defined with equations (9), (10) and (1 1). 

20 The parameters are: p = 41 9, m = 8, A/f = 64 and k = 64. 

[67] Statistical tests cannot prove that a sequence Is random, tests can only 

show that a sequence Is not random. In other words, tests help only to detect certain 
kinds of weaknesses a generator may have. If a sequence passes a finite number of 
statistical tests, It Is not guaranteed that the sequence was Indeed generated by a 
25 (truly) random number generator. 

[68] Five standard tests, commonly used for determining whether a binary 

sequence has some properties that a truly random sequence would be likely to 
exhibit, are [1]: frequency test, serial test, poker test, runs test, and autocorrelation 
test. Linear congruential generators pass standard tests. An additional package of 
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tests was proposed in [18] for which standard random nunnber generators 
(congruential, shift-register and lagged-Fibonacci generators) give poor results. 

[69] All these tests to the generators described in the previous section have 

been performed and the results are summarized in the following table. 





PRNG1 


PRNG2 


PRNG3 


Birthday Spacings 


FAIL 


pass 


pass 


Overlapping 5-permutation 


FAIL 


pass 


pass 


Binary rank for 31x31 matrices 


FAIL 


pass 


pass 


Binary rank for 32x32 matnces 


FAIL 


pass 


pass 


Binary rank for 6x8 matrices 


FAIL 


pass 


pass 


Bistream 


FAIL 


pass 


pass 


OPSO 


FAIL 


pass 


pass 


OQSO 


FAIL 


pass 


pass 


DNA 


FAIL 


pass 


pass 


Count-the-1*s on a stream of 


FAIL 


pass 


pass 


bytes 








Count-the-1's for specific bytes 


FAIL 


pass 


pass 


Parking lot 


FAIL 


pass 


pass 


Minimum distance 


FAIL 


pass 


pass 


3DSpheres 


FAIL 


pass 


pass 


Squeeze 


FAIL 


pass 


pass 


Overlapping sums 


pass 


pass 


pass 


Runs 


pass 


pass 


pass 


Craps 


FAIL 


pass 


pass 



Tab. 1 

[70] PRNG1 is a linear congruential generator with a = 84589, b = 45989, 

and m = 217728. The values of the parameters are taken from [19]; we obtain similar 
results with different values for a, b and m, PRNG2 and PRNG3 are generators from 
10 Examples 1 and 2. 

Description of a hardware generator according to an embodiment of the 
invention 

[71] Once the parameters p, m, k and M of equations 7 and 8 (or of 

equations 9, 10 and 1 1 ) are fixed, a hardware Pseudo Random Bit Generator may 
15 be easily and efficiently implemented. 
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[72] Following Example 1 (PRNG2), we take p = 5, m = 2, /c=2 and M = 

2" 2 



256. Now X/ = f? + a, where (in base 2) 6 = /jm - ^>itoo and a = O.aiaa. and = 1 + :^. 



Then I — 

1 2« ^ 



mod 2^ can be rewritten as 



2^ 2^ j 

[73] The term -^b can be obtained by shifting by 2 bits towards right (i.e., 

-^b = OObj^ ,,.b^b^jbjy^ ). Moreover, since the term -^a is less than -^b , it is 

immaterial with respect to the truncation operation trunc2 and we can omit it. At last, 
the mod 2^ operation is simply obtained by discarding the overflow of the M bit 



summation. Therefore, the quantity trunc^ 



^ X, mod 2^ 

J 



is substantially the sum 



2 m 

10 between the two bit strings bM...bzbzb\b{^,a^a2 + OO^m •A3ib2./)ibo- 

[74] Summing up, the operations involved in the PRNG2 are bit shift, bit 

sum and XOR (while, for examples, Micali-Blum generator uses power operators and 
Blum-Blum-Shub generator uses product). FIG. 1 depicts the application of the 
equations (7) and (8) at the generic Mh step. 

15 [75] In the above mentioned figure, the array of bit b'M- b\.a\a\ indicates 

the result of the sum between b^ '''bzb'2b^b^.a\a'2. and ^QbM.,,bzbi.b^b^ and is stored 
in a temporary buffer for (the base 2 representation of) X/+i. At the subsequent (/ + 
1)th step, the content of this buffer shall be overwritten on the bits bM...bzb2b^b^.a\a^. 

[76] A basic realization of a hardware generator of a chaos-based pseudo- 

20 random bit sequence of the invention is depicted in FIG. 2. It comprises a first 

memory buffer MEM in which storing bit strings representing integer numbers x„ of 
the PRN sequence, a shift register R1 driven by a command circuit, a second 
memory buffer R2 storing the bits output by the shift register R1 , a first adder ADD1 
modulo 2 and a second adder ADD2. 
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[77] Preliminarily, a seed Xo is stored in the memory buffer MEM; then the 

desired bit sequence Xn is generated by repeating cyclically the following steps: 

- the content of the first buffer is copied in the shift register R1 ; 

- the command circuit provides a certain number k of shift commands to the shift 

5 register R1 , which outputs the k least significant bits of the string representing the 
number Xn] 

- the bits output by the shift register are stored in the second buffer R2 and are 
summed by the first adder modulo 2 ADD1 , generating a bit Xn of the chaos- 
based pseudo-random bit sequence; 

10 - the second adder ADD2 sums the bit strings currently stored in the shift register 
and in the memory MEM, generating a bit string representing a successive 
number Xn+i of the pseudo-random sequence which is stored in the first buffer 
MEM. 

[78] The hardware generator of FIG. 2 may be used whatever the number k 

15 is. 

[79] A simpler embodiment of a hardware generator according to an 

embodiment of the invention, especially designed for implementing the method for 
/c=2, is depicted in FIG. 3. Differently from the generator of FIG. 2, the register R2 is 
not present and R1 can be a register of any kind. 

20 [80] Initially, the memory buffer MEM is loaded with a seed Xq, then 

according to the embodiment of the method of the invention described in FIG. 1 the 
following operations are carried out: 

- copying in the register R1 a bit string stored in the memory buffer MEM 
representing a current number Xp of the pseudo-random sequence, 

25 - generating a bit Xn of chaos-based pseudo-random bit sequence by summing 
modulo 2 (XORing) the two (^2) least significant bits of the bit string stored in 
the register R1, 

- generating a bit string representing a successive number x^+i of the pseudo- 
random sequence by summing up the bit string representing the current number 

15 
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Xn and the bit string obtained eliminating the two least significant bits of the bit 
string stored in the register R1 , 

- storing in the memory buffer MEM the bit string representing the successive 
number x„+i. 

[81] As it will be apparent to the skilled practitioner, once the generator of 

FIG. 3 has been realized, it cannot be used for any value of k^2, because it would be 
necessary to change the connections between the register R1 and the cascade of 
adding gates [+] that constitute the adder modulo 2 ADD2. 

[82] From the foregoing it will be appreciated that, although specific 

embodiments of the invention have been described herein for purposes of 
illustration, various modifications may be made without deviating from the spirit and 
scope of the invention. 
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